The European Union’s Parliament on Thursday approved a new anti-spam and online privacy directive that could dramatically alter the practice of email marketing in the region, while granting controversial rights to member states to monitor Web surfers’ activities.

The directive’s spam clauses establish “opt-in” as the default rule for commercial email — meaning that consumers must give prior permission to marketers before being sent electronic communications. All commercial email communications also must have an “opt-out” feature.

The ban on unsolicited email doesn’t apply to existing customer relationships, however, so retailers can continue sending mail to consumers with whom they’ve done business (while still providing a legitimate mechanism to opt-out).

The directive also states that Web surfers must be told ahead of time about sites’ cookie procedures, giving consumers the right to refuse cookie-based data-collection. It also specifies that users must give explicit permission for their personal data to be included in public directories.

The directive’s most controversial clause, however, lays down the law on the sharing of user’s online Internet activities by Internet Service Providers. The regulation states that ISPs may allow third-parties to access consumers’ data without the user’s permission only in the event of criminal investigations or matters of national or public security — when “necessary, appropriate and proportionate measure within a democratic society,” according to the directive’s text.

The clause represents a compromise between both Parliamentary conservatives and socialists, and also with the conservative-leaning Spanish presidency of the EU Council, which earlier this month had pushed for modifications to the directive.

Still, several high-profile Parliamentarians were dissatisfied with the wording of the clause and the freedoms it granted to European governments. Marco Cappato, who had served as chairman of the debate on the directive at its introduction in the Parliament’s Freedoms and Rights Committee, said in a statement that he absolved himself of any responsibility for the bill’s effects, adding that it entailed “massive restrictions on civil liberties” and ran counter to the position of the Committee.

The compromise also gives each EU member state the right to legislate its own policies on data retention — namely, whether ISPs would be required to retain information on customers’ Internet activity in the event of future police investigations, or whether such data would only begin to be collected in the event that an investigation is launched.

The compromise also said that lawful interceptions of electronic communications should also be in accordance with the European Convention of Human Rights and Fundamental Freedoms and with the rulings of the European Court of Human Rights.

Following the Parliament’s agreement on the directive, it now remains for EU member states to individually pass the regulation as part of their own national laws — a process that often can take years.

The directive also is to be reviewed by Parliament within three years of its application by member states.